Finally learnt why my npf efforts had still failed on my Linode NetBSD even since switching to KVM (and in hindsight perhaps why I could never get it working on Xen): Because I use securelevel 1. Doh!

I now have the following in a /etc/modules.conf:

npf
bpfjit
sljit
npf_alg_icmp

Just having npf was not enough as I’d get the following without bpfjit.

npfctl: source /usr/src/sys/net/npf/npf_ctl.c line 231
npfctl: npfctl_config_send: Invalid argument

And bpfjit requires sljit (check modstat). And npf_alg_icmp is required for the Application Level Gateway stuff.

Bizarrely, though, npfctl reload will still moan about bpfjit even with it, but it seems to actually work ok.

I’ve also updated this npf post.

[EDIT 2018-02-18] I’m pretty sure that securelevel screws with the creation of the npflog0 interface. I never had a problem until the post-Meltdown era, but I suspect the multiple reboots, migrations and a rebuild I’ve tried removed this interface and then it wouldn’t recreate. You could probably boot without securelevel to get the interface created and then reboot with it enabled and it’d stick.